Add support for CORS

[jasonbosco]

@kishorenc I started writing a Swagger Spec for the API and noticed that the API is throwing a 404 for OPTIONS requests (triggered by the browser when Swagger Editor tries to call the Typesense API).

Could you add support for passing in a CORS whitelist, may be as a boot parameter?

v0.7.0

[kishorenc]

@jasonbosco Added via 523c142

Docker image 0.7.1 is also published:

https://hub.docker.com/r/typesense/typesense/tags/

[jasonbosco]

Almost works. It now returns a 200, but looks like it's missing the content-type header in the list of allowed headers:

Network Request:

Console:

[kishorenc]

@jasonbosco

According to the spec the server should send the value of the Access-Control-Request-Headers back in Access-Control-Allow-Headers if it accepts them. I am already doing that. Although I see that the Access-Control-Request-Headers is being sent in the screenshot, somehow the server is not finding it and hence the empty response.

Not sure why this is happening since it works for me in CURL... Can you try:

$ curl -H "Origin: http://example.com" \                                                                                                                                           ‹ruby-2.2.5@typesense›
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: x-typesense-api-key, Content-Type" \
  -X OPTIONS --verbose \
  http://localhost:8108/collections
*   Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8108 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8108 (#0)
> OPTIONS /collections HTTP/1.1
> Host: localhost:8108
> User-Agent: curl/7.53.1
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: x-typesense-api-key, Content-Type
>
< HTTP/1.1 200 OK
< Date: Tue, 02 Jan 2018 02:27:49 GMT
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS
< Access-Control-Allow-Headers: x-typesense-api-key, Content-Type
< Access-Control-Max-Age: 86400
< transfer-encoding: chunked
<
* Connection #0 to host localhost left intact

[jasonbosco]

@kishorenc Interestingly, when I try that curl out, I get blank value for headers:

$ curl -H "Origin: http://localhost:8108" \
>   -H "Access-Control-Request-Method: POST" \
>   -H "Access-Control-Request-Headers: x-typesense-api-key, Content-Type" \
>   -X OPTIONS --verbose \
>   http://localhost:8108/collections
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8108 (#0)
> OPTIONS /collections HTTP/1.1
> Host: localhost:8108
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: http://localhost:8108
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: x-typesense-api-key, Content-Type
>
< HTTP/1.1 200 OK
< Date: Tue, 02 Jan 2018 04:52:24 GMT
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS
< Access-Control-Allow-Headers:
< Access-Control-Max-Age: 86400
< transfer-encoding: chunked
<
* Connection #0 to host localhost left intact

Another thing I noticed is that if there's only one header passed in the request, say just Content-Type then the server returns that header:

$ curl -H "Origin: http://localhost:8108" \
>   -H "Access-Control-Request-Method: POST" \
>   -H "Access-Control-Request-Headers: Content-Type" \
>   -X OPTIONS --verbose \
>   http://localhost:8108/collections
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8108 (#0)
> OPTIONS /collections HTTP/1.1
> Host: localhost:8108
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: http://localhost:8108
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: Content-Type
>
< HTTP/1.1 200 OK
< Date: Tue, 02 Jan 2018 04:54:19 GMT
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS
< Access-Control-Allow-Headers: Content-Type
< Access-Control-Max-Age: 86400
< transfer-encoding: chunked
<
* Connection #0 to host localhost left intact

[jasonbosco]

@kishorenc Following up from this comment, I tested out typesense/typesense:0.8-api-changes. We're one step closer...

I'm now running into this issue:

The browser is sending the request and receiving a response, but it's refusing to process the response for the GET request because there are no Access-Control-* headers in the response to the GET request. Only the OPTIONS request's response has those headers:

Looking at the MDN documentation for CORS, Access-Control headers need to be mirrored on the actual GET/POST requests' responses in addition to the pre-flight OPTIONS request.

[kishorenc]

@jasonbosco Okay, Access-Control-Allow-Origin is now sent in all responses when CORS is enabled. I've republished the typesense/typesense:0.8-api-changes docker image with that change.

[jasonbosco]

Alright! Works fine now.